Results 1 to 3 of 3
  1. #1

    Server sending tons of traffic

    Hey everyone,
    Yesturday morning when I was accessing sites on my server, it took forever for pages to load. When I pinged my machine, the responces were an average of 1500 ms. Also, when I tried to ping other computers on the same network, there was a similar result. I called my ISP, and they suggested that one of the computers was sending to much traffic. It was my Linux webserver, for when I shut it down, everything went down to 40 ms.

    On the server, I noticed that qmail-remote was high in the process list in CPU usage, but 85.5% of the machine was idle. In the logs there are errors saying that it was out of memory, around the same time.

    What could cause this? What should I do? I do not have a ton of linux experience but my primary concern is security (mainly that my machine isn't used for spam). Is there a way to tell if my machine has been hacked? Thank you ver much for your help.

  2. #2
    Join Date
    Nov 2003
    Location
    on the 'net
    Posts
    1,187
    I just heard yesterday of another Linux server sending out 40MB/s DDOS attack. Sounds like the script kiddies have figured out how to put trojans where they can do some real damage.

    I would find a good admin and see if your box is compromised. Could be a spam-bot too.

  3. #3
    Greetings:

    If you've not taking regular and ongoing steps to keep your system secure, consider the following.

    Security has to be done in layers to be most effective.

    For Unix-based systems, this should include the following:

    * Disable telnet.
    * Limit SSH access to specific IP addresses.
    * Disable direct root login.
    * Remove unnecessary packages / software.
    * Harden the kernel against synflood and basic DOS attacks.
    * Remove common user access to compilers and fetching software (wget, fetch, lynx, etc.).
    * Ensure /tmp is in its own partition with noexec, nosuid.
    * Ensure kernel and software is up to date.
    * Remove unnecessary users and groups.
    * Install chkrootkit, logwatch, tripwire.
    * Install a firewall, and port scan detector.
    * For Apache servers, install mod_security and configure for use with FrontPage, PHPMyAdmin, Site Studio, and other H-Sphere applications.
    * Secure DNS Servers
    * Utilize firewall automation to mitigate brute force FTP, syn floods, mail bombs, and out-of-network trojan’d servers from impacting our servers

    It is important to note that security is an ongoing venture. Even if you were to take all of the steps listed above, you would still have a regular routine of review, update, research, patch, etc.

    Thank you.
    ---
    Peter M. Abraham
    LinkedIn Profile

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •